org.jsslutils.sslcontext
Class PKIXSSLContextFactory

java.lang.Object
  extended by org.jsslutils.sslcontext.DefaultSSLContextFactory
      extended by org.jsslutils.sslcontext.X509SSLContextFactory
          extended by org.jsslutils.sslcontext.PKIXSSLContextFactory
All Implemented Interfaces:
SSLContextFactory

public class PKIXSSLContextFactory
extends X509SSLContextFactory

This class is a factory that provides methods for creating an SSLContext configured with the settings set in this factory: using the PKIX algorithm for both the key manager and the trust manager. These managers are created from the KeyStores passed to the constructor. This implementation build a trust store that supports revocation and CRLs, see the CRL-related methods. The "org.jsslutils.prop.crlReloadInterval" system property may be used to configure the reload interval for CRLs (when re-loaded automatically), in seconds (0 won't reload them).

Author:
Bruno Harbulot

Nested Class Summary
 
Nested classes/interfaces inherited from interface org.jsslutils.sslcontext.SSLContextFactory
SSLContextFactory.SSLContextFactoryException
 
Field Summary
static String CRL_RELOAD_INTERVAL_PROP
           
protected  Set<CRL> crlCollection
           
protected  boolean enableRevocation
           
 
Fields inherited from class org.jsslutils.sslcontext.X509SSLContextFactory
KEY_PASSWORD_PROP, KEYSTORE_FILE_PROP, KEYSTORE_PASSWORD_PROP, KEYSTORE_PROVIDER_ARGFILE_PROP, KEYSTORE_PROVIDER_ARGTEXT_PROP, KEYSTORE_PROVIDER_CLASS_PROP, KEYSTORE_PROVIDER_PROP, KEYSTORE_TYPE_PROP, TRUSTSTORE_FILE_PROP, TRUSTSTORE_PASSWORD_PROP, TRUSTSTORE_PROVIDER_ARGFILE_PROP, TRUSTSTORE_PROVIDER_ARGTEXT_PROP, TRUSTSTORE_PROVIDER_CLASS_PROP, TRUSTSTORE_PROVIDER_PROP, TRUSTSTORE_TYPE_PROP
 
Fields inherited from class org.jsslutils.sslcontext.DefaultSSLContextFactory
CONTEXT_PROTOCOL_NAME_PROP, CONTEXT_PROVIDER_NAME_PROP, SECURERANDOM_ALGORITHM_PROP, SECURERANDOM_PROVIDER_NAME_PROP
 
Constructor Summary
PKIXSSLContextFactory()
           
PKIXSSLContextFactory(KeyStore keyStore, char[] keyPassword, KeyStore trustStore)
          Builds an SSLContextFactory using the PKIX algorithm in the TrustManagerFactory.
PKIXSSLContextFactory(KeyStore keyStore, char[] keyPassword, KeyStore trustStore, boolean enableRevocation)
          Builds an SSLContextFactory using the PKIX algorithm in the TrustManagerFactory.
PKIXSSLContextFactory(KeyStore keyStore, String keyPassword, KeyStore trustStore)
          Builds an SSLContextFactory using the PKIX algorithm in the TrustManagerFactory.
PKIXSSLContextFactory(KeyStore keyStore, String keyPassword, KeyStore trustStore, boolean enableRevocation)
          Builds an SSLContextFactory using the PKIX algorithm in the TrustManagerFactory.
 
Method Summary
 void addCrl(CRL crl)
          Adds a CRL to the collection used by getCrlCollection() (and thus the trust manager by default).
 void addCrl(InputStream crlInputStream)
          Adds a CRL from an InputStream to the collection used by getCrlCollection() (and thus the trust manager by default).
 void addCrl(String crlUrl)
          Adds a CRL from a URL to the collection used by getCrlCollection() (and thus the trust manager by default).
 void addCrl(String crlUrl, long reloadInterval)
          Adds a CRL from a URL to the collection used by getCrlCollection() (and thus the trust manager by default); this CRL will be reloaded periodically.
 void addCrlCollection(Collection<? extends CRL> crlCollection)
          Adds CRLs to the collection used by getCrlCollection() (and thus the trust manager by default).
 Callable<X509CRL> addReloadableCrl(String crlUrl)
          Adds a CRL from a URL to the collection used by getCrlCollection() (and thus the trust manager by default).
protected  CertStore getCertStore()
          Returns the CertStore added to the PKIXParameters in getPKIXParameters().
 Collection<? extends CRL> getCrlCollection()
          Returns the Collection of X509CRLs used to initialise the CollectionCertStoreParameters used in getCertStore().
protected  PKIXParameters getPKIXParameters()
          Returns the PKIXParameters used for initialising the ManagerFactoryParameters in getTrustParams().
protected  TrustManager[] getRawTrustManagers()
          Builds TrustManagers from the trust store provided in the constructor, using a PKIX TrustManagerFactory.
protected  ManagerFactoryParameters getTrustParams()
          Returns the ManagerFactoryParameters used for initialising the TrustManagerFactory in getTrustManagers().
 CRL loadCrl(InputStream crlInputStream)
          Builds a CRL object from an InputStream.
 CRL loadCrl(String crlUrl)
          Builds a CRL object from a URL.
 
Methods inherited from class org.jsslutils.sslcontext.X509SSLContextFactory
configure, getKeyManagers, getKeyStore, getRawKeyManagers, getTrustManagers, getTrustStore, setKeyManagerWrapper, setKeyPassword, setKeyPasswordCallbackHandler, setKeyStore, setKeyStorePasswordCallbackHandler, setTrustManagerWrapper, setTrustStore, setTrustStorePasswordCallbackHandler
 
Methods inherited from class org.jsslutils.sslcontext.DefaultSSLContextFactory
buildSSLContext, buildSSLContext, clone, getContextProtocol, getContextProvider, getDefaultSecureRandomAlgorithm, getSecureRandom, getSecureRandomProvider, setSecureRandom
 
Methods inherited from class java.lang.Object
equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

CRL_RELOAD_INTERVAL_PROP

public static final String CRL_RELOAD_INTERVAL_PROP
See Also:
Constant Field Values

enableRevocation

protected boolean enableRevocation

crlCollection

protected Set<CRL> crlCollection
Constructor Detail

PKIXSSLContextFactory

public PKIXSSLContextFactory()

PKIXSSLContextFactory

public PKIXSSLContextFactory(KeyStore keyStore,
                             char[] keyPassword,
                             KeyStore trustStore,
                             boolean enableRevocation)
Builds an SSLContextFactory using the PKIX algorithm in the TrustManagerFactory.

Parameters:
keyStore - KeyStore that contains the key.
keyPassword - password to the key.
trustStore - KeyStore that contains the trusted X.509 certificates.
enableRevocation - sets whether certificate revocation should be enabled.

PKIXSSLContextFactory

public PKIXSSLContextFactory(KeyStore keyStore,
                             String keyPassword,
                             KeyStore trustStore,
                             boolean enableRevocation)
Builds an SSLContextFactory using the PKIX algorithm in the TrustManagerFactory.

Parameters:
keyStore - KeyStore that contains the key.
keyPassword - password to the key.
trustStore - KeyStore that contains the trusted X.509 certificates.
enableRevocation - sets whether certificate revocation should be enabled.

PKIXSSLContextFactory

public PKIXSSLContextFactory(KeyStore keyStore,
                             char[] keyPassword,
                             KeyStore trustStore)
Builds an SSLContextFactory using the PKIX algorithm in the TrustManagerFactory. Certificate revocation is enabled by default.

Parameters:
keyStore - KeyStore that contains the key.
keyPassword - password to the key.
trustStore - KeyStore that contains the trusted X.509 certificates.

PKIXSSLContextFactory

public PKIXSSLContextFactory(KeyStore keyStore,
                             String keyPassword,
                             KeyStore trustStore)
Builds an SSLContextFactory using the PKIX algorithm in the TrustManagerFactory. Certificate revocation is enabled by default.

Parameters:
keyStore - KeyStore that contains the key.
keyPassword - password to the key.
trustStore - KeyStore that contains the trusted X.509 certificates.
Method Detail

getRawTrustManagers

protected TrustManager[] getRawTrustManagers()
                                      throws SSLContextFactory.SSLContextFactoryException
Builds TrustManagers from the trust store provided in the constructor, using a PKIX TrustManagerFactory. The TrustManagerFactory parameters used are those provided by getTrustParams().

Overrides:
getRawTrustManagers in class X509SSLContextFactory
Returns:
PKIX-based trust managers corresponding to the trust store.
Throws:
SSLContextFactory.SSLContextFactoryException

getTrustParams

protected ManagerFactoryParameters getTrustParams()
                                           throws SSLContextFactory.SSLContextFactoryException
Returns the ManagerFactoryParameters used for initialising the TrustManagerFactory in getTrustManagers(). You can override it, but the default behaviour is to build a CertPathTrustManagerParameters from the PKIXParameters returned by getPKIXParameters().

Returns:
ManagerFactoryParameters used by getTrustManagers().
Throws:
SSLContextFactoryException
SSLContextFactory.SSLContextFactoryException

getPKIXParameters

protected PKIXParameters getPKIXParameters()
                                    throws SSLContextFactory.SSLContextFactoryException
Returns the PKIXParameters used for initialising the ManagerFactoryParameters in getTrustParams(). You can override it, but the default behaviour is to build a PKIXBuilderParameters from the trustStore, enable the revocation according to enableRevocation and adds the CertStore provided by getCertStore().

Returns:
PKIXParameters used by getTrustParams()
Throws:
SSLContextFactoryException
SSLContextFactory.SSLContextFactoryException

getCertStore

protected CertStore getCertStore()
                          throws SSLContextFactory.SSLContextFactoryException
Returns the CertStore added to the PKIXParameters in getPKIXParameters(). You can override it, but the default behaviour is to build a CertStore using the Collection of X509CRL obtained from getCrlCollection(). Typical extensions would probably consist of using an LDAP-based CertStore.

Returns:
CertStore used by getPKIXParameters().
Throws:
SSLContextFactoryException
SSLContextFactory.SSLContextFactoryException

getCrlCollection

public Collection<? extends CRL> getCrlCollection()
                                           throws SSLContextFactory.SSLContextFactoryException
Returns the Collection of X509CRLs used to initialise the CollectionCertStoreParameters used in getCertStore().

Returns:
Collection of X509CRL ultimately checked by the trust manager.
Throws:
SSLContextFactoryException
SSLContextFactory.SSLContextFactoryException

addCrlCollection

public void addCrlCollection(Collection<? extends CRL> crlCollection)
                      throws SSLContextFactory.SSLContextFactoryException
Adds CRLs to the collection used by getCrlCollection() (and thus the trust manager by default).

Parameters:
crlCollection - collection of CRLs to add.
Throws:
SSLContextFactoryException
SSLContextFactory.SSLContextFactoryException

addCrl

public void addCrl(CRL crl)
            throws SSLContextFactory.SSLContextFactoryException
Adds a CRL to the collection used by getCrlCollection() (and thus the trust manager by default).

Parameters:
crl - CRL to add.
Throws:
SSLContextFactoryException
SSLContextFactory.SSLContextFactoryException

addCrl

public void addCrl(InputStream crlInputStream)
            throws SSLContextFactory.SSLContextFactoryException
Adds a CRL from an InputStream to the collection used by getCrlCollection() (and thus the trust manager by default).

Parameters:
crlInputStream - InputStream containing the CRL to read (this is not closed by this method).
Throws:
SSLContextFactoryException
SSLContextFactory.SSLContextFactoryException

addCrl

public void addCrl(String crlUrl)
            throws SSLContextFactory.SSLContextFactoryException,
                   MalformedURLException,
                   IOException
Adds a CRL from a URL to the collection used by getCrlCollection() (and thus the trust manager by default).

Parameters:
crlUrl - URL of the CRL to fetch.
Throws:
SSLContextFactoryException
IOException
MalformedURLException
SSLContextFactory.SSLContextFactoryException

addCrl

public void addCrl(String crlUrl,
                   long reloadInterval)
            throws SSLContextFactory.SSLContextFactoryException,
                   MalformedURLException,
                   IOException
Adds a CRL from a URL to the collection used by getCrlCollection() (and thus the trust manager by default); this CRL will be reloaded periodically.

Parameters:
crlUrl - URL of the CRL to fetch.
reloadInterval - number of seconds between reloads.
Throws:
SSLContextFactoryException
MalformedURLException
IOException
SSLContextFactory.SSLContextFactoryException

addReloadableCrl

public Callable<X509CRL> addReloadableCrl(String crlUrl)
                                   throws SSLContextFactory.SSLContextFactoryException,
                                          MalformedURLException,
                                          IOException
Adds a CRL from a URL to the collection used by getCrlCollection() (and thus the trust manager by default). This CRL will be reloaded by the Callable returned; this callable is not scheduled in an executor at this stage (up to the user of this method).

Parameters:
crlUrl - URL of the CRL to fetch.
Returns:
Callable that reloads the CRL (call() will return the new CRL).
Throws:
SSLContextFactoryException
MalformedURLException
IOException
SSLContextFactory.SSLContextFactoryException

loadCrl

public CRL loadCrl(InputStream crlInputStream)
            throws SSLContextFactory.SSLContextFactoryException
Builds a CRL object from an InputStream.

Parameters:
crlInputStream - InputStream containing the CRL to read (this is not closed by this method).
Returns:
X509CRL built from the representation obtained from this InputStream.
Throws:
SSLContextFactoryException
SSLContextFactory.SSLContextFactoryException

loadCrl

public CRL loadCrl(String crlUrl)
            throws SSLContextFactory.SSLContextFactoryException,
                   IOException,
                   MalformedURLException
Builds a CRL object from a URL.

Parameters:
crlUrl - URL of the CRL to fetch.
Returns:
X509CRL built from the representation obtained from this URL.
Throws:
SSLContextFactoryException
IOException
MalformedURLException
SSLContextFactory.SSLContextFactoryException


Copyright © 2012. All Rights Reserved.